Ah! So we are taking the cookie value in custom_settings, prepending the AUTH_SECRET and performing a sha1 hash. This screams to us, LENGTH EXTENSION ATTACK. For more details on this technique, click here.

Essentially, if we know the input data, the resulting hash, and the hash type, we can append malicious code to the initial data and receive a hash that will pass the given test. To do the hash calculation, we will utilize hlextend.

We have a Post class that contains the title of a post, the text of a post, and filters on a post to essentially write markdown-style data without having to worry about html tags (or at least that was the intended purpose ;-)

There is a hint in the destructor of // debugging stuff. Typically, this means something interesting is approaching.

When called, the destructor calls each filter in the Post’s filters on the text of the Post. Let’s take a closer look at what the filter does in classes.php.

Ah ha! Good ole preg_replace. This function replaces the match of the regex pattern in data with repl.
Here is the given example in the code:

new Filter("/\[i\](.*)\[\/i\]/i", "<i>\\1</i>")

Applying this filter will do the following:

Before

[i] Words words words [/i]

After

<i> Words words words </i>

There is a fun feature with preg_replace that we can exploit here. In our regex pattern if we include the e flag, then the regex match will be replaced with the result of executable code aka a function, such as our old friends file_get_contents or system.

After the hash passes its check, the decoded cookie is split on ‘\n’. For each value in the resulting array, it is unserialized and appended to the $custom_settings array. The fun feature of unserialize() deals with objects. Once an object is unserialized, it is essentially instantiated. Which means that when it goes out of scope, its destructor gets called.

With this knowledge, our work flow is below:

Create a Post class with a malicious filter that will file_get_contents a file (or instance the flag)

Serialize the object

Append the serialized object to the initial cookie data, being sure to seperate the object with a ‘\n’

Cory Duplantis

I am a senior security researcher for Cisco Talos and play on Samurai for CTFs. Being happily married, CTFs, tool development, and singing barbershop take up the majority of my time. This blog is the home for my CTF writeups, development tricks, and other random hacker tips.